Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Auditing Information Systems", Jack J. Champlain

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Auditing Information Systems", Jack J. Champlain
Date: Mon, 31 Jul 2006 08:14:04 -0800 
BKAUINSS.RVW   20060706

"Auditing Information Systems", Jack J. Champlain, 2003,
0-471-28117-4, U$92.00/C$119.99
%A   Jack J. Champlain
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-28117-4
%I   John Wiley & Sons, Inc.
%O   U$92.00/C$119.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471281174/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471281174/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471281174/robsladesin03-20
%O   Audience i- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   430 p.
%T   "Auditing Information Systems, second edition"

The preface states that the audience is intended to be general (non-
specialist) managers, auditing students, and new auditors, but that
all readers are assumed to be familiar with some fairly specialized
audit concepts.

Part one is for core concepts, more related to computing than
auditing.  Chapter one outlines the basic components of computers, but
tersely, and dealing with specific items rather than ideas.  There is
an odd digression into computer viruses when discussing memory, and a
brief mention of physical and logical controls.  "Identifying Computer
Systems," in chapter two, mostly suggests having an inventory, with a
brief mention of risk assessment.

Part two covers the standard information system audit approach. 
Chapter three explains that an information system audit programme is
basically a checklist.  Definitions of policies and standards (and a
weak interpretation of guidelines) are in chapter four.  Various
country standards for audits (concentrating on what types of opinions
outside auditors can express) and some private certification
organizations are summarized in chapter five.  Chapter six is about
assessing vendors on the basis of audits that have been done on them,
and most of the content repeats, in slightly different wording, the
concepts from chapters four and five.  Physical security is presented,
with some rather large gaps (there is no mention of facilities
construction issues), in chapter seven.  (Somewhat oddly, backups and
business continuity planning are included here.)  Logical security, in
chapter eight, is limited to aspects of access control and operations,
and is padded out with lots of anecdotes under the heading of "case
studies."  Chapter nine's review of information systems operations is
circumscribed and random, and has additional stories.

Champlain seems to think that the topics in part three are
contemporary, or possibly advanced, auditing concepts.  Chapter ten
explains that Control Self-Assessment (CSA) is the idea of having
auditors talk to the people who actually do the work in order to find
out what controls might be necessary (what a novel idea!), and devotes
a great deal of space to describing the various control frameworks,
such as COSO (report of the Committee of Sponsoring Organizations of
the Treadway commission) and CObIT (Control Objectives for Information
Technology).  There is lots of trivia, but little useful information,
about encryption and cryptography in chapter eleven.  Computer
forensics gets slightly better treatment in chapter twelve, but is
restricted to disk recovery and investigation management.  Chapter
thirteen contains miscellaneous topics like computer-aided auditing
tools, and computer viruses, but most of the text concentrates on the
Internet (which section includes, for some reason, a large discussion
of privacy issues).  (Despite the fact that the piece on viruses holds
very little real information, it manages to make a surprising number
of errors, including an astounding retailing of the "Desert Storm"
virus myth that seems to have become inverted.)  Chapter fourteen
seems to be advice on career issues for auditors.   A fairly banal
review of project (particularly development project) management
methods makes up the examination of information systems project
auditing, in chapter fifteen.  Chapter sixteen is a collection of
random thoughts on a variety of risks.

There is a lot of space devoted to "case studies" in the book.  These
anecdotes are often odd, and the relevance to the surrounding text is
difficult to determine.  Similarly, exhibits and tables are not always
illustrative of the subjects under discussion.  Sometimes these
"supporting" materials are the opposite of exemplar: at one point a
"sample" policy is reprinted, but then later content points out a
number of problems with it.

Security professionals are all too used to seeing auditors as the
"enemy": ignorant management weenies and accounting dweebs with little
or no understanding of the technology or information system
operations.  This perception is unfortunate, since the reality is that
nobody can realistically and objectively assess their own work, and
the viewpoint from another perspective is exceedingly valuable for
finding potential problems before they find you.  It's too bad that a
promising activity gets a work like this, which is going to reinforce
the negative prejudice.

copyright Robert M. Slade, 2006   BKAUINSS.RVW   20060706


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Many wise words are spoken in jest, but they don't compare with
the number of stupid words spoken in earnest.         - Sam Levenson
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Auditing Information Systems", Jack J. Champlain, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  RE: [CISSP-D] requirements to sit for the CISSP exam, Marsha Ackerman
Previous by Thread:  [CISSP-D] Verification of the internet site using http://www.vengine.com/, Parthasarathy p.r.
Indexes:  [Date] [Thread] [Top] [All Lists]